Back to Details

add-artifact-attestations-to-workflow

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Add Artifact Attestations to Workflow

为工作流添加工件证明

Add SLSA build-provenance attestations to existing GitHub Actions workflows for Docker container images.
为Docker容器镜像的现有GitHub Actions工作流添加SLSA构建来源证明。

Steps

步骤

  1. Find existing workflow files in 
    .github/workflows/
    that contain 
    docker/build-push-action
    or similar steps. Note that composite actions may be used — read both the composite action and the calling workflow simultaneously.
  2. Enable OIDC & Attestations permissions In each workflow's top-level 
    permissions:
    block, grant both the OIDC token and attestations write privileges:
    yaml
    permissions:
  id-token: write
  attestations: write
  contents: read       # (existing)
  packages: write      # (existing)
  3. Log in to container registries Ensure authentication steps exist for each registry you'll attest against. Judge whether there are omissions based on the implemented content, rather than always logging into all registries.
    yaml
    - name: Login to GHCR
  uses: docker/login-action@v3
  with:
    registry: ghcr.io
    username: ${{ github.actor }}
    password: ${{ secrets.GITHUB_TOKEN }}

- name: Login to Docker Hub
  uses: docker/login-action@v3
  with:
    registry: index.docker.io
    username: ${{ secrets.DOCKERHUB_USERNAME }}
    password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to Quay
  uses: docker/login-action@v3
  with:
    registry: quay.io
    username: ${{ secrets.QUAY_USERNAME }}
    password: ${{ secrets.QUAY_TOKEN }}
  4. Build & push image, capturing the digest Use 
    docker/build-push-action@v*
    with an 
    id
    to reference its output. Judge tags based on implemented content.
    yaml
    - name: Build and push image
  id: build_push
  uses: docker/build-push-action@v5
  with:
    context: .
    push: true
    tags: |
      ghcr.io/${{ github.repository }}:latest
      index.docker.io/${{ secrets.DOCKERHUB_USERNAME }}/your-repo:latest
      quay.io/${{ github.repository_owner }}/your-repo:latest
  5. Add attestation steps After the 
    build_push
    step, insert one 
    actions/attest-build-provenance@v3
    invocation per registry. The 
    subject-name
    is the full image name without a tag. The 
    subject-digest
    comes from the build step's output. Judge which registries to use based on implemented content.
    yaml
    - name: Attest GHCR image
  uses: actions/attest-build-provenance@v3
  with:
    subject-name: ghcr.io/${{ github.repository }}
    subject-digest: ${{ steps.build_push.outputs.digest }}

- name: Attest Docker Hub image
  uses: actions/attest-build-provenance@v3
  with:
    subject-name: index.docker.io/${{ secrets.DOCKERHUB_USERNAME }}/your-repo
    subject-digest: ${{ steps.build_push.outputs.digest }}

- name: Attest Quay image
  uses: actions/attest-build-provenance@v3
  with:
    subject-name: quay.io/${{ github.repository_owner }}/your-repo
    subject-digest: ${{ steps.build_push.outputs.digest }}
  6. Commit changes Write the git commit message in English.
    bash
    git add .github/workflows/docker_publish.yml # or whatever files you modified
git commit --signoff -m "ci: add build-provenance attestations for container images"
  7. Ask the user to push Tell the user to manually push the changes and verify attestations are created successfully. DO NOT perform a git push.
  1. .github/workflows/
    目录下找到包含
    docker/build-push-action
    或类似步骤的现有工作流文件。注意可能会使用复合操作——需要同时查看复合操作和调用它的工作流。
  2. 启用OIDC与证明权限 在每个工作流的顶级
    permissions:
    块中,授予OIDC令牌和证明的写入权限:
    yaml
    permissions:
  id-token: write
  attestations: write
  contents: read       # (现有权限)
  packages: write      # (现有权限)
  3. 登录容器注册表 确保存在针对每个要验证的注册表的身份验证步骤。根据已实现的内容判断是否有遗漏,无需总是登录所有注册表。
    yaml
    - name: Login to GHCR
  uses: docker/login-action@v3
  with:
    registry: ghcr.io
    username: ${{ github.actor }}
    password: ${{ secrets.GITHUB_TOKEN }}

- name: Login to Docker Hub
  uses: docker/login-action@v3
  with:
    registry: index.docker.io
    username: ${{ secrets.DOCKERHUB_USERNAME }}
    password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to Quay
  uses: docker/login-action@v3
  with:
    registry: quay.io
    username: ${{ secrets.QUAY_USERNAME }}
    password: ${{ secrets.QUAY_TOKEN }}
  4. 构建并推送镜像,捕获摘要 使用带
    id
    docker/build-push-action@v*
    来引用其输出。根据已实现的内容判断标签。
    yaml
    - name: Build and push image
  id: build_push
  uses: docker/build-push-action@v5
  with:
    context: .
    push: true
    tags: |
      ghcr.io/${{ github.repository }}:latest
      index.docker.io/${{ secrets.DOCKERHUB_USERNAME }}/your-repo:latest
      quay.io/${{ github.repository_owner }}/your-repo:latest
  5. 添加证明步骤
    build_push
    步骤之后,为每个注册表插入一个
    actions/attest-build-provenance@v3
    调用。
    subject-name
    是不带标签的完整镜像名称。
    subject-digest
    来自构建步骤的输出。根据已实现的内容判断要使用哪些注册表。
    yaml
    - name: Attest GHCR image
  uses: actions/attest-build-provenance@v3
  with:
    subject-name: ghcr.io/${{ github.repository }}
    subject-digest: ${{ steps.build_push.outputs.digest }}

- name: Attest Docker Hub image
  uses: actions/attest-build-provenance@v3
  with:
    subject-name: index.docker.io/${{ secrets.DOCKERHUB_USERNAME }}/your-repo
    subject-digest: ${{ steps.build_push.outputs.digest }}

- name: Attest Quay image
  uses: actions/attest-build-provenance@v3
  with:
    subject-name: quay.io/${{ github.repository_owner }}/your-repo
    subject-digest: ${{ steps.build_push.outputs.digest }}
  6. 提交更改 用英文编写git提交信息。
    bash
    git add .github/workflows/docker_publish.yml # 或任何你修改的文件
git commit --signoff -m "ci: add build-provenance attestations for container images"
  7. 请用户推送更改 告知用户手动推送更改并验证证明是否成功创建。请勿执行git推送操作。